Forum Discussion

sa1eh's avatar
sa1eh
Icon for Altostratus rankAltostratus
Jul 15, 2019

Http auth agent against SSL backend is not allowed

I have an application that sends OTP to users from an external API but (HTTP AAA server) doesn't accept https request it shows me the following message:

 

In AAA HTTP server, Using Http auth agent against SSL backend is not allowed, please, create a layered virtual server with serverssl profile

 

I created a virtual server with external API IP on port 80 and serverssl and pool with the same external API IP but on port 443 still the APM policy didn't respond yet.

 

Can you give me some guidance on how to proceed?

 

 

  • are you stuck with this sa1eh?

     

    i quickly built the general concept and for me it works. well i see the request at the pool member of the layered virtual server.

     

    can you determine if the request arrives there at all?

    • sa1eh's avatar
      sa1eh
      Icon for Altostratus rankAltostratus

      Yes still stuck.

       

      Can you please explain the steps to do layered virtual server?

  • sure

     

    your create a virtual server with any IP address on port 80, you use that IP address in the AAA HTTP server with http://<ip>. you attached a server ssl profile to it. the pool for that virtual server contain the actual IP address you want to send the traffic to, on port 443.

     

    • sa1eh's avatar
      sa1eh
      Icon for Altostratus rankAltostratus

      This is service URL

      https://xservices.rich.sa/RiCHClientServiceREST.svc/SendSmsLoginGet?username=???&password=???&Sender=???&Text=???&number=???

      I did a virtual server with 192.168.x.x port 80 and pool with 95.177.212.58 port 443 which public IP of the service.

      I followed this tutorial: https://devcentral.f5.com/s/articles/you-down-with-otp

      and this is my APM policy:

      and this is AAA HTTP:

  • Hi sa1eh,

    did you manage to make it working? I have the same problem but I don't understand how to configure layered VS, my SMS gateway works only via HTTPS. I really don't understand how to debug it, I hope someone can help me.

     

    Thank you in advance

     

    Luca

    • sa1eh's avatar
      sa1eh
      Icon for Altostratus rankAltostratus

      Hi Luca

       

      Yes still stuck I tried the solution provided by boneyard

      and still nothing happening but I really think his way is right but I think I have some technical issue with how F5 is wired.

  • sa1eh / Luca this should not have anything to do with wiring

     

    trouble shooting is starting with tcpdump, do you see the request?

     

    first question, when you tcpdump, do you see the request for the 192.168.x.x ?

  • Hi all,

    if it can help I've solved my problem with the help of the customer support. In my case I've configured a VS listening in HTTP with default pool the HTTPS servers. Then I've configured my HTTP access as custom Post and modified as needed. I suggest to log the header with tcpdump and adjust the Post as needed.

     

    Luca

  • Thriff's avatar
    Thriff
    Icon for Nimbostratus rankNimbostratus

    Hi,

    I got our AAA HTTP Auth working with a layered VIP that also sent it through a outbound proxy, since the F5 instance itself is firewalled and can't talk directly to the internet.

    Traffic flow:
    HTTP AUTH -> sms_service_80 (REDIRECT) -> sms_service_443 -> outbound-proxy -> External SMS OTP service (internet)

    In the HTTP Auth config, set Number Of Redirects To Follow to 1 so that it accepts a redirect.

    Here's a AS3 snippet of the VS config:

    "sms_service_80": {
        "class": "Service_HTTP",
        "remark": "SMS Service Redirect",
        "virtualAddresses": [
            "10.0.0.1"
        ],
        "virtualPort": 80,
        "persistenceMethods": [],
        "iRules": [
            {
                "use": "sms-redirect.irule"
            }
        ],
        "snat": "auto"
    },
    "sms_service_443": {
        "class": "Service_HTTPS",
        "remark": "SMS Service Proxy",
        "virtualAddresses": [
            "10.0.0.1"
        ],
        "virtualPort": 443,
        "redirect80": false,
        "pool": "proxy-pool",
        "profileHTTP": {
            "use": "proxy-http"
        },
        "clientTLS": {
            "bigip": "/Common/serverssl"
        },
        "serverTLS": {
            "bigip": "/Common/clientssl"
        },
        "persistenceMethods": [],
        "snat": "auto"
    },
    "proxy-pool": {
        "class": "Pool",
        "monitors": [],
        "loadBalancingMode": "least-connections-member",
        "members": [
            {
                "shareNodes": true,
                "adminState": "enable",
                "servers": [
                    {
    				"name": "outbound-proxy.localdomain.com",
    				"address": "10.1.1.1"
                    }
                ],
                "servicePort": 8080
            }
        ]
    },
    "proxy-http": {
        "class": "HTTP_Profile",
        "proxyConnectEnabled": true
    },

    And the custom redirect iRule "sms-redirect.irule" that keeps method and body intact:

    when HTTP_REQUEST priority 500 {
        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
        # 308 Permanent Redirect: Similar to 301, but it ensures that the method and body of the request are not changed
        HTTP::respond 308 Location "https://[HTTP::host][HTTP::uri]"
    }

     

    You also want to either add the external SMS-service hostname as a local alias on the F5 instance with the HTTP Auth in (System  ››  Configuration : Device : Hosts) and keep the FQDN in the HTTP Auth config.
    E.g:

    Or change it with a iRule on the 443 VS, and have the local IP in the HTTP Auth config:

    when HTTP_REQUEST_RELEASE priority 500 {
        HTTP::host "sms-service.example.com"
    }

    Otherwise the outbound-proxy wont know where to send the request.

     

    Hope this helps someone (: